Todos Xml Sign What You See

50 %
50 %
Information about Todos Xml Sign What You See

Published on December 9, 2008

Author: peter_gullberg

Source: slideshare.net

Todos XML Sign-What-You-See The missing link for financial transactions Peter Gullberg VP Product Strategy

Founded in Göteborg, Sweden in 1987. 17 years of experience in developing security solutions primarily based on Smart Card. Todos’ majority owner is The Sixth AP fund, a state-owned fund managing public pension funds in Sweden. Todos is the world leading supplier of connectable card readers; 6 Million+ connectable card-readers in order-stock, being rolled out 2008-2009 Todos has strong presence, ready to serve you as customer Todos has offices in: - Gothenburg, Sweden (Headquarters, R&D, Sales) - Taipei, Taiwan (Sales, production & logistics) - Qingdao, China (R&D, China) - Beijing, China (Sales, China) Todos HQ Sales R&D Sales

Founded in Göteborg, Sweden in 1987.

17 years of experience in developing security solutions primarily based on Smart Card.

Todos’ majority owner is The Sixth AP fund, a state-owned fund managing public pension funds in Sweden.

Todos is the world leading supplier of connectable card readers; 6 Million+ connectable card-readers in order-stock, being rolled out 2008-2009

Todos has strong presence, ready to serve you as customer

Todos has offices in: - Gothenburg, Sweden (Headquarters, R&D, Sales) - Taipei, Taiwan (Sales, production & logistics) - Qingdao, China (R&D, China) - Beijing, China (Sales, China)

There is an ever-increasing need to digitally sign a document, to prove authenticity and integrity XML-Signatures [XMLDSIG] is a generic framework for signing documents Most initiatives worldwide on digital signatures are derivate work based on W3Cs (www.w3.org) XML-Signatures, making XMLDSIG de-facto standard Many authorities, such as governments and financial institutions are actively adopting various XML-Signature schemes For widespread use of digital signing there must be a digital signature infrastructure enabling digital signing of virtually any document type, “XML-Signatures” Digital Signatures and PKI Intro

There is an ever-increasing need to digitally sign a document, to prove authenticity and integrity

XML-Signatures [XMLDSIG] is a generic framework for signing documents

Most initiatives worldwide on digital signatures are derivate work based on W3Cs (www.w3.org) XML-Signatures, making XMLDSIG de-facto standard

Many authorities, such as governments and financial institutions are actively adopting various XML-Signature schemes

For widespread use of digital signing there must be a digital signature infrastructure enabling digital signing of virtually any document type, “XML-Signatures”

Euro-zone: (CEN) Specifying citizen cards, eID… United States: Working on PIV UK: “Identity grid”, spending 5.6B£ and pushing identity Norway : BankID, (XMLDSIG // ETSI) Sweden: BankdID (XMLDSIG) Brazil: ICP, (XMLDSIG) Belgium : eID (XMLDSIG// XAdES) Germany: EBICS (XMLDSIG) for financial transfers Other: France, Taiwan, Hong-Kong, Japan, Australia, Finland, Singapore etc. etc.… CEN/ETSI : Specifying card interoperability, card implementations, XML-signature standards, most work is *very* good ISO : Specifying card interoperability, middleware interoperability, card infrastructure is very important, some other work less relevant SUMMARY: EVERYONE IS DOING SOMETHING, MOST ARE USING XMLDSIG ! Digital Signatures and PKI STATUS WORLDWIDE?

Euro-zone: (CEN) Specifying citizen cards, eID…

United States: Working on PIV

UK: “Identity grid”, spending 5.6B£ and pushing identity

Norway : BankID, (XMLDSIG // ETSI)

Sweden: BankdID (XMLDSIG)

Brazil: ICP, (XMLDSIG)

Belgium : eID (XMLDSIG// XAdES)

Germany: EBICS (XMLDSIG) for financial transfers

Other: France, Taiwan, Hong-Kong, Japan, Australia, Finland, Singapore etc. etc.…

CEN/ETSI : Specifying card interoperability, card implementations, XML-signature standards, most work is *very* good

ISO : Specifying card interoperability, middleware interoperability, card infrastructure is very important, some other work less relevant

SUMMARY: EVERYONE IS DOING SOMETHING,

MOST ARE USING XMLDSIG !

Digital Signatures and PKI BUT....., THERE IS A WEAKNESS !! Digital Signature schemes fails to establish a way for the user to review and approve what he or she is about to sign in a trusted environment This leads to doubt regarding the non-repudiation of the transaction Using a computer screen to display what will be signed is possible, but is today not considered secure enough Q: “Would you sign a blank check, or sign a contract without being able to review the contractual terms?”

Digital Signature schemes fails to establish a way for the user to review and approve what he or she is about to sign in a trusted environment

This leads to doubt regarding the non-repudiation of the transaction

Using a computer screen to display what will be signed is possible, but is today not considered secure enough

Q: “Would you sign a blank check, or sign a contract without being able to review the contractual terms?”

Todos XML Sign-What-You-See

Combines true Sign-What-You-See with PKI and XML-Signatures Customer reviews and approves data to be signed in a secure environment Interoperable document standard; XML Support legacy PKI cards and PKI-schemes Meet requirements of EU signature directive (1999/93/EC) Authentication, Authorisation and Signing are separated into clearly defined processes PIN-entry is performed in a secure environment ; PIN is never exposed to the personal computer Backwards compatibl e with existing Digital Signature formats, making migration possible towards Todos XML Sign-What-You-See with true SWYS Todos XML Sign-What-You-See BUSINESS PROPOSITION

Combines true Sign-What-You-See with PKI and XML-Signatures

Customer reviews and approves data to be signed in a secure environment

Interoperable document standard; XML

Support legacy PKI cards and PKI-schemes

Meet requirements of EU signature directive (1999/93/EC)

Authentication, Authorisation and Signing are separated into clearly defined processes

PIN-entry is performed in a secure environment ; PIN is never exposed to the personal computer

Backwards compatibl e with existing Digital Signature formats, making migration possible towards Todos XML Sign-What-You-See with true SWYS

Based on international standards Can be updated incrementally Platform-independent, thus relatively immune to changes in technology XML is heavily used as a format for document storage and processing, both online and offline Hierarchical structure is suitable for most types of documents Microsoft Office 2007 , XML based file formats, docx, pptx etc, SOAP etc. Todos XML Sign-What-You-See WHY XML?

Based on international standards

Can be updated incrementally

Platform-independent, thus relatively immune to changes in technology

XML is heavily used as a format for document storage and processing, both online and offline

Hierarchical structure is suitable for most types of documents

Microsoft Office 2007 , XML based file formats, docx, pptx etc, SOAP etc.

Data that need to be approved by cardholder is tagged with an Sign-What-You-See attribute , and encoded in a format understandable by the signing device Large contractual terms is divided into set of screens , each screen fits the device, to overcome the display limitations in a small signing device A Secure Signing Interface solves the issue of supporting any PKI-card; any PKI-scheme The ”Secure Signing Interface” follows same conceptual principles as Secure PIN Entry (defined in PC/SC 2.01-10), and can be used for both asymmetric and symmetric cryptography Todos XML Sign-What-You-See HOW IT WORKS

Data that need to be approved by cardholder is tagged with an Sign-What-You-See attribute , and encoded in a format understandable by the signing device

Large contractual terms is divided into set of screens , each screen fits the device, to overcome the display limitations in a small signing device

A Secure Signing Interface solves the issue of supporting any PKI-card; any PKI-scheme

The ”Secure Signing Interface” follows same conceptual principles as Secure PIN Entry (defined in PC/SC 2.01-10), and can be used for both asymmetric and symmetric cryptography

Bank Relying party Certificate holder Todos XML Sign-What-You-See SYSTEM OVERVIEW

Todos XML Sign-What-You-See SWYS PRINCIPLE Account number? 12312-3123 Amount: 1 234,00 PIN? * * * * OK OK OK

Todos Connectable 217 or 417 PC/SC 2.01 secure PIN entry Secure Signing Interface , conceptually same as PC/SC 2.01 Supports either 2x17 characters or 4x17 characters Enables true Sign-What-You-See , with XML-documents, or other document types in the future Support XMLDSIG and ETSI TS 101 903 (XAdES) Supports ISO-7816-8, -9,…. Supports ISO/IEC 24727-2 Todos XML Sign-What-You-See TODOS CONNECTABLE READER

Todos Connectable 217 or 417

PC/SC 2.01 secure PIN entry

Secure Signing Interface , conceptually same as PC/SC 2.01

Supports either 2x17 characters or 4x17 characters

Enables true Sign-What-You-See , with XML-documents, or other document types in the future

Support XMLDSIG and ETSI TS 101 903 (XAdES)

Supports ISO-7816-8, -9,….

Supports ISO/IEC 24727-2

Total income 2008: $125 000 PC Reader Secure Signing Interface Todos XML Sign-What-You-See EXAMPLE, “TAX DECLARATION” Mr Alegre: Your tax declaration 2008 Total income 2008: $125 000 OK OK

OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER Frauds are becoming more and more Sophisticated … and so is Fraud Mitigation XML Sign-What-You-See

One step up is not enough… OTP Challenge Response SWYS Static Passwords Secure Domain Separation Dynamic Signatures ID THEFT KEY LOGGING PHISHING SPYWARE MAN-IN-MIDDLE MAN-IN-BROWSER ... Make sure you take a dynamic leap XML Sign-What-You-See

Case #1 Nordea Nordeas own words

Case #1 Nordea Nordea e-kod Nordea acted strong to re-establish trust Nordea replaced their existing one-time-password solution Nordea implemented stronger than CAP security solutions with ”Advanced Signing”, with a strong PKI solution The new security solution have effectively stopped all attacks on the internet bank

Nordea e-kod

Nordea acted strong to re-establish trust

Nordea replaced their existing one-time-password solution

Nordea implemented stronger than CAP security solutions with ”Advanced Signing”, with a strong PKI solution

The new security solution have effectively stopped all attacks on the internet bank

Case #2 ABN AMRO Source: Finextra 2/4-07

ABN AMRO e.dentifer2 ABN Amro had to act strongly One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2” Protects banking customers over the next 5-7 years. True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ” Sign-What-You-See ” (SWYS) ” The most secure end-user device today ” (ABN Amro’s own statement) Case #2 ABN AMRO

ABN AMRO e.dentifer2

ABN Amro had to act strongly

One year later, in June-08 ABN Amro started deploying third generation security solution ”e.dentifier2”

Protects banking customers over the next 5-7 years.

True mitigation against Man-in-the-Middle attacks, with improved Transaction Data Signing with ” Sign-What-You-See ” (SWYS)

” The most secure end-user device today ” (ABN Amro’s own statement)

Todos’ Promise A UNIQUE POSITION Todos holds a unique position by offering… … One system for all Solutions All devices can be used simultaneously One end-user can have multiple devices Multi issuer service Cost efficient with low total cost of ownership … a Wide range of Devices From Printed Cards, tokens to connectable Readers Enables true segmentation of users … High technical knowledge Secure Domain Separation Dynamic Signatures – True agility Sign-What-You-See XML Sign-What-You-See Customization: tailor made look and feel

Todos holds a unique position by offering…

… One system for all Solutions

All devices can be used simultaneously

One end-user can have multiple devices

Multi issuer service

Cost efficient with low total cost of ownership

… a Wide range of Devices

From Printed Cards, tokens to connectable Readers

Enables true segmentation of users

… High technical knowledge

Secure Domain Separation

Dynamic Signatures – True agility

Sign-What-You-See

XML Sign-What-You-See

Customization: tailor made look and feel

Todos product portofolio The complete solution

The complete solution

Thank You Peter Gullberg VP Product Strategy +46 31 775 88 00 [email_address] www.todos.se

Add a comment

Related presentations

Related pages

Todos XML-Sign-What-You-See, the missing link for PKI in ...

Todos XML-Sign-What-You See solved the the missing link in PKI and digital signatures is ... the missing link for PKI in financial transactions.
Read more

Leosoft | Facebook

... you can create one to see more ... Baixa e mantém em segurança todos os arquivos XML das NFE ... Atende a todos os requisitos exigidos pelo ...
Read more

c# - View all TODO items in Visual Studio using Ghostdoc ...

View all TODO items in Visual Studio using Ghostdoc. ... If you are referring to TODOs that ... I just like the stubbing out of the XML comment ...
Read more

Operaciones Masivas del XML CFDI | Facebook

Sign Up Log In. See more of ... you can create one to see more of this Page. Sign Up Log In. Not Now. ... •Visor XML y PDF en todos los módulos, ...
Read more

todo-apps/java at master · IBM-Bluemix/todo-apps · GitHub

Sign up Sign in. Pricing Blog Support ... When you do run the app locally, ToDos are stored in memory so when you ... If you do not see a settings.xml file ...
Read more

osm-read - npm

osm-read - an openstreetmap XML and PBF parser for node.js and the ... see also example/pbf.html: ... Currently you can only parse OSM data in XML from URLs.
Read more

My Account

Account Options. Sign in; My Account. ... My Account gives you quick access to settings and tools for managing your Google experience on products like ...
Read more

Google Play

Sign in Personalized Just for You ... Hot New Music See more Get the latest albums + singles ... Thank You for Being Late: ...
Read more

Switching from Email Router to Server-Side Sync in ...

Learn how to switch from an email router to Server-Side Sync in Dynamics CRM. ... EncryptionKey.xml ... If you see either of these messages, ...
Read more